Book Image

Improving Your Splunk Skills

By : James D. Miller, Paul R. Johnson, Josh Diakun, Derek Mock
Book Image

Improving Your Splunk Skills

By: James D. Miller, Paul R. Johnson, Josh Diakun, Derek Mock

Overview of this book

Splunk makes it easy for you to take control of your data and drive your business with the cutting edge of operational intelligence and business analytics. Through this Learning Path, you'll implement new services and utilize them to quickly and efficiently process machine-generated big data. You'll begin with an introduction to the new features, improvements, and offerings of Splunk 7. You'll learn to efficiently use wildcards and modify your search to make it faster. You'll learn how to enhance your applications by using XML dashboards and configuring and extending Splunk. You'll also find step-by-step demonstrations that'll walk you through building an operational intelligence application. As you progress, you'll explore data models and pivots to extend your intelligence capabilities. By the end of this Learning Path, you'll have the skills and confidence to implement various Splunk services in your projects. This Learning Path includes content from the following Packt products: Implementing Splunk 7 - Third Edition by James Miller Splunk Operational Intelligence Cookbook - Third Edition by Paul R Johnson, Josh Diakun, et al

Related Content you might be interested in

Current Title:

Small book image
Improving Your Splunk Skills
James D. Miller | Paul R. Johnson | Josh Diakun | Derek Mock
Aug, 2019 | 11 hours 20 minutes
No titles found
Table of Contents (21 chapters)
Title Page
Title Page
Copyright and Credits
Copyright and Credits
Improving Your Splunk Skills
About Packt
About Packt
Why subscribe?
Packt.com
Contributors
Contributors
About the authors
Packt is searching for authors like you
Preface
Preface
Who this book is for
What this book covers
To get the most out of this book
Get in touch
Free Chapter
1
The Splunk Interface
The Splunk Interface
Logging in to Splunk
The home app
The top bar
The Search & Reporting app
Using the time picker
Using the field picker
The settings section
Splunk Cloud
Try before you buy
A quick cloud tour
The top bar in Splunk Cloud
Splunk reference app – PAS
Universal forwarder
eventgen
Next steps
2
Understanding Search
Understanding Search
Using search terms effectively
Boolean and grouping operators
Clicking to modify your search
Using fields to search
Using wildcards efficiently
All about time
Making searches faster
Sharing results with others
Searching job settings
Saving searches for reuse
Creating alerts from searches
Event annotations
3
Tables, Charts, and Fields
Tables, Charts, and Fields
About the pipe symbol
Using top to show common field values
Using stats to aggregate values
Using chart to turn data
Using timechart to show values over time
Working with fields
Chart enhancements in version 7.0
4
Data Models and Pivots
Data Models and Pivots
What is a data model?
What does a data model search?
Acceleration in version 7.0
Creating a data model
Lookup attributes
What is a pivot?
A quick example
Sparklines
5
Simple XML Dashboards
Simple XML Dashboards
The purpose of dashboards
Using wizards to build dashboards
Converting the panel to a report
Back to the dashboard
Editing XML directly
UI examples app
Building forms
Features replaced
Autorun dashboard
Scheduling the generation of dashboards
6
Extending Search
Extending Search
Using tags to simplify search
Using event types to categorize results
Using lookups to enrich data
Using macros to reuse logic
Creating workflow actions
Using external commands
7
Working with Apps
Working with Apps
Defining an app
Included apps
Installing apps
Building your first app
Editing navigation
Customizing the appearance of your app
Object permissions
App directory structure
Self-service app management
8
Building Advanced Dashboards
Building Advanced Dashboards
Reasons for working with advanced XML
Reasons for not working with advanced XML
Development process
Advanced XML structure
Converting simple XML to advanced XML
Module logic flow
Understanding layoutPanel
Reusing a query
Using intentions
Creating a custom drilldown
Third-party add-ons
9
Summary Indexes and CSV Files
Summary Indexes and CSV Files
Understanding summary indexes
When to use a summary index
When to not use a summary index
Populating summary indexes with saved searches
Using summary index events in a query
Using sistats, sitop, and sitimechart
How latency affects summary queries
How and when to backfill summary data
Reducing summary index size
Calculating top for a large time frame
Using CSV files to store transient data
10
Configuring Splunk
Configuring Splunk
Locating Splunk configuration files
The structure of a Splunk configuration file
The configuration merging logic
An overview of Splunk.conf files
User interface resources
11
Play Time – Getting Data In
Play Time – Getting Data In
Introduction
Indexing files and directories
Getting data through network ports
Using scripted inputs
Using modular inputs
Using the Universal Forwarder to gather data
Receiving data using the HTTP Event Collector
Getting data from databases using DB Connect
Loading the sample data for this book
Data onboarding – defining field extractions
Data onboarding - defining event types and tags
Installing the Machine Learning Toolkit
12
Building an Operational Intelligence Application
Building an Operational Intelligence Application
Introduction
Creating an Operational Intelligence application
Adding dashboards and reports
Organizing the dashboards more efficiently
Dynamically drilling down on activity reports
Creating a form for searching web activity
Linking web page activity reports to the form
Displaying a geographical map of visitors
Highlighting average product price
Scheduling the PDF delivery of a dashboard
13
Diving Deeper – Advanced Searching, Machine Learning and Predictive Analytics
Diving Deeper – Advanced Searching, Machine Learning and Predictive Analytics
Introduction
Calculating the average session time on a website
Calculating the average execution time for multi-tier web requests
Displaying the maximum concurrent checkouts
Analyzing the relationship of web requests
Predicting website traffic volumes
Finding abnormally-sized web requests
Identifying potential session spoofing
Detecting outliers in server response times
Forecasting weekly sales
14
Speeding Up Intelligence – Data Summarization
Speeding Up Intelligence – Data Summarization
Introduction
Calculating an hourly count of sessions versus completed transactions
Backfilling the number of purchases by city
Displaying the maximum number of concurrent sessions over time
15
Above and Beyond – Customization, Web Framework, HTTP Event Collector, REST API, and SDKs
Above and Beyond – Customization, Web Framework, HTTP Event Collector, REST API, and SDKs
Introduction
Customizing the application navigation
Adding a Sankey diagram of web hits
Developing a tag cloud of purchases by country
Adding Cell Icons to Highlight Average Product Price
Remotely querying Splunk's REST API for unique page views
Creating a Python application to return unique IP addresses
Creating a custom search command to format product names
Collecting data from remote scanning devices
Other Books You May Enjoy
Other Books You May Enjoy
Leave a review - let other readers know what you think

The home app

After logging in, the default app is the Launcher app (some refer to it as Home). This app is a launching pad for apps and tutorials.

Note that with your first login, Splunk will present a popup displaying Help us improve Splunk software that will ask you permission (Splunk) to collect information about your Splunk usage. It is up to you how to respond.

In earlier versions of Splunk, the Welcome tab provided two important shortcuts, Add data and Launch search app. In version 6.2.0, the Home app was divided into distinct areas or panes that provided easy access to Explore Splunk Enterprise (Add Data, Splunk Apps, Splunk Docs, and Splunk Answers) as well as Apps (the app management page), Search & Reporting (the link to the Search app), and an area where you can set your default dashboard (choose a home dashboard).

In version 7.0, the main page has not been changed very much, although you may notice some difference in the graphics. But the general layout remains the same, with the same panes and access to the same functionalities.

We'll cover apps and dashboards in later chapters of this book:

The Explore Splunk Enterprise pane shows the following links:

  • Product Tours (a change in 7.0): When you click here, you can select a specific tour for your review (Add Data Tour, Search Tour and Dashboards Tour).
Note: for first-timers, when you first click on any of the following links, Splunk will ask whether you'd like to pause and view a tour based on the link you chose. Of course, you always have the opportunity to go back at any time to the Product Tours link to review a tour.

  • Add Data: This links Add Data to the Splunk page. This interface is a great start for getting local data flowing into Splunk (making it available to Splunk users). The Preview data interface takes an enormous amount of complexity out of configuring dates and line breaking. We won't go through those interfaces here, but we will go through the configuration files that these wizards produce in Chapter 10, Configuring Splunk.

  • Splunk Apps: This allows you to find and install more apps from the Splunk Apps Marketplace (https://splunkbase.splunk.com). This marketplace is a useful resource where Splunk users and employees post Splunk apps, mostly free but some premium ones as well. Note that you will need to have a splunk.com user ID.

  • Splunk Docs: This is one of your links to the wide amount of Splunk documentation available, specifically https://answers.splunk.com, to come on board with the Splunk community on Splunkbase (https://splunkbase.splunk.com/) and get the best out of your Splunk deployment. In addition, this is where you can access http://docs.splunk.com/Documentation/Splunk for the very latest updates to documentation on (almost) any version of Splunk.

The Apps section shows the apps that have GUI elements on your instance of Splunk. App is an overloaded term in Splunk. An app doesn't necessarily have a GUI; it is simply a collection of configurations wrapped into a directory structure that means something to Splunk. We will discuss apps in a more detailed manner in Chapter 7, Working with Apps.

Search & Reporting is the link to the Splunk Search & Reporting app:

Beneath the Search & Reporting link, Splunk provides an outline that, when you hover over it, displays a Find More Apps balloon tip. Clicking on the link opens the (same) Browse more apps page as the Splunk Apps link mentioned earlier:

Choose a home dashboard provides an intuitive way to select an existing (simple XML) dashboard and set it as part of your Splunk Welcome or Home page. This sets you at a familiar starting point each time you enter Splunk. The following screenshot displays the Choose Default Dashboard dialog:

Once you select (from the drop-down list) an existing dashboard, it will be a part of your welcome screen every time you log in to Splunk—until you change it. There are no dashboards installed by default after installing Splunk, except the Search & Reporting app. Once you have created additional dashboards, they can be selected as the default.

Previous Section
End of Section 3
Next Section